People who visit adult websites are being exposed on a daily basis to malware, phishing, and malicious spam campaigns, with premium accounts used on these websites that get stolen ending up on dark web markets. While visitors of adult websites being targeted by threat actors is definitely not something new, during 2018 cybercriminals increased their activity dramatically, with attacks targeting adult website credentials, for example, increasing by 300%. Users who were looking around the web for adult content have been safer during 2018, with the number of attacks dropping by roughly 36% from more than a million in 2017 to around 650,000 last year. However, while malware targeting adult content viewers declined in diversity, cybercriminals still managed to push out a larger amount of malware samples throughout 2018. Credential-stealing attacks saw a 300% boost in numbers. According to Kaspersky Lab's year in review report of cyber threats targeting online adult content viewers, credential stealing malware now focuses on a smaller number of websites, cutting down the list from Brazzers, Chaturbate, Pornhub, Myfreecams, Youporn, Wilshing, Motherless, XNXX, and XVideos, down two only two websites: PornHub and XNXX. To drop malware payloads on their targets' computers, threat actors disguised them as videos on malicious websites they control and used search query results manipulation as the main technique to make sure that their victims were funneled to their first stage infection vectors. In total, in 2018 87,227 users downloaded malware disguised as adult content in 2018, 8% of them have used their company's network instead of using a personal Internet connection. For facts and figures visit OUR FORUM.

Microsoft's Edge web browser comes with a hidden whitelist file designed to allow Facebook to circumvent the built-in click-to-play security policy to autorun Flash content without having to ask for user consent. According to the initial bug report filed by Google Project Zero's Ivan Fratric on November 26: In Microsoft Windows, there is a file edgehtmlpluginpolicy.bin that contains the default whitelist of domains that can bypass Flash click2play and load Flash content without getting user confirmation in Microsoft Edge. The current version of the previously secret Edge whitelist will only allow Facebook to bypass the Flash click-to-play policy on its facebook.com and apps.facebook.com domains, a policy which is currently enforced for all other domains not present on this list. In his bug report, the security researcher also highlighted the security implications of having a Flash autorun whitelist bundled with a web browser, especially given the number of Flash security patches issued by Adobe almost every month. However, back in November, the security researcher initially found in the whitelist the sha256 hashes of 58 domains on Windows 10 v1803, which he was able to decrypt and obtain the names of 56 sites. The choice to encrypt the entries added to the whitelist and the decision to keep Facebook's domains whitelisted even after this month's Patch Tuesday are two other questions that only Microsoft can answer. While Microsoft managed to get around to partially address the issue reported by Fratric back in November 2018, the security researcher is still dumbfounded by Redmond's choice to use a Flash whitelist in the first place. We have the contents of the hidden whitelist posted on OUR FORUM.

At the Galaxy Unpacked event, the South Korean smartphone maker Samsung announced the highly anticipated foldable phone, the Galaxy Fold. Samsung Galaxy Fold packs a large 7.3-inch Infinity Flex Display that allows the device to switch between the tablet and phone mode. At the event, Samsung showed off the Galaxy Fold switching flawlessly between phone and tablet mode. The foldable device can run three apps at once and Samsung’s app continuity system will adjust these apps when you unfold or fold the device. Samsung has worked with Google and the community developers to optimize the apps for its foldable phone. At the event, Samsung revealed that its Galaxy Fold device is configured to work with all popular apps and even the Microsoft Office suite. The software and hardware have been optimized to work with apps like Google Maps WhatsApp, as well as the Microsoft Office productivity suite. Microsoft Office apps have been specially adapted to work with the 7.3-inch display and it will be able to adjust the interface quickly when you move between the two form factors. Samsung’s first foldable is simply called the Galaxy Fold. It has a 7.3-inch Infinity Flex screen when opened and it switches to a 4.6-inch screen when it’s folded. The resolution of the giant display is 1536 x 2152 and it reduces to 840 x 1960 when it’s folded. Samsung Galaxy Fold uses two batteries and while they are separated by the fold, they are combined when you boot the operating system. Full details can be found on OUR FORUM.

Microsoft will begin rolling out SHA-2 standalone updates for Windows 7 and Windows Server 2008 in March in preparation for its July 16 implementation deadline. Windows 7 and Windows Server 2008 users need to have SHA-2 code-signing installed by July 16, 2019, in order to continue to get Windows updates after that date. Microsoft issued that warning on February 15 via a Support article. Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to prove authenticity. A bug going forward, due to "weaknesses" in SHA-1, Microsoft officials have said previously that Windows updates will be using the more secure SHA-2 algorithm exclusively. Customers running Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 must have SHA-2 code-signing support installed by July 2019, Microsoft officials have said. Microsoft has published a timeline for migrating these operating systems to SHA-2, with support for the algorithm coming in standalone updates. On March 12, Microsoft is planning a standalone update with SHA-2 code sign support for Windows 7 SP1 and Windows Server 2008 R2 SP1. It also will deliver to WSUS 3.0 SP2 the required support for delivering SHA-2 updates. Microsoft will make available a standalone update with SHA-2 code sign support for Windows Server 2008 SP2 on April 9, 2019. Learn more by visiting OUR FORUM.

Facebook deliberately broke privacy and competition law and should urgently be subject to statutory regulation, according to a devastating parliamentary report denouncing the company and its executives as “digital gangsters”. The final report of the Digital, Culture, Media and Sport select committee’s 18-month investigation into disinformation and fake news accused Facebook of purposefully obstructing its inquiry and failing to tackle attempts by Russia to manipulate elections. “Democracy is at risk from the malicious and relentless targeting of citizens with disinformation and personalized ‘dark adverts’ from unidentifiable sources, delivered through the major social media platforms we use every day,” warned the committee’s chairman, Damian Collins. Labour moved quickly to endorse the committee’s findings, with the party’s deputy leader, Tom Watson, announcing: “Labour agrees with the committee’s ultimate conclusion – the era of self-regulation for tech companies must end immediately. “We need new independent regulation with tough powers and sanctions regime to curb the worst excesses of surveillance capitalism and the forces trying to use technology to subvert our democracy.” The culture secretary, Jeremy Wright, who is to meet Zuckerberg this week to discuss harms resulting from social media, will likely come under pressure to raise the committee’s concerns with the Facebook chief executive directly. Launched in 2017 as concern grew about the influence of false information and its ability to spread unscrutinized on social media, the inquiry was turbocharged in March the following year, with the Cambridge Analytica data-harvesting scandal. There's more posted on OUR FORUM.

New York resident Jay Brodsky has filed a class action lawsuit against Apple, claiming that the company forces users into a two-factor authentication (2FA) straitjacket that they can’t shrug off, that it takes up to five minutes each time users have to enter a 2FA code, and that the time suck is causing “economic losses” to him and other Apple customers. The lawsuit, filed on Friday in Newport Beach, California, is accusing Apple of “trespass,” based on Apple’s “locking [Brodsky] out” of his devices by requiring 2FA that allegedly can’t be disabled after two weeks. The reference to two weeks comes from support email that Apple sometimes sends out to Apple ID owners after it enables 2FA. That email contains what the lawsuit claims, with italicized emphasis, is an unobtrusive last line that says that owners have two weeks to opt out of 2FA and go back to their previous security settings. The suit claims that around September 2015, Brodsky’s Apple devices – including an iPhone and two MacBooks – were updated to have 2FA turned on, “without [his] knowledge or consent,” thus “[locking] up access” to Brodsky’s own devices and making them “inaccessible for intermittent periods of time.” Apple is causing injury to class members by “intermeddling” with the use of their devices and not letting them choose their own security level or “freely enjoy and use” their gadgets, the suit claims. Also, by “injecting itself in the process by requiring extra logging steps,” Apple is allegedly violating California’s Invasion of Privacy Act – Section 637.2 of the California Penal Code. A third count is allegedly violating California Penal Code section 502: California’s Computer Crime Law (CCL). A fourth count is that Apple allegedly violates the Computer Fraud and Abuse Act (CFAA) by accessing people’s devices without authorization. Follow this on OUR FORUM.